e-Banking and OTP Tokens – is it safe?

Security measures implemented in internet banking services may not fully protect users from identity related crimes.

Before writing this article I decided to distribute an online survey. As data was still coming i

n, it was immediately evident that the Maltese population relates to internet banking as a plausible alternative to more traditional methods. Forty four per cent of the respondents interact online with their respective banks at least a couple of times a month.

On the extremities, it was found that eight per cent use internet banking on a daily basis, while four per cent never use internet banking. Thirty eight per cent of the respondents were aged between 18 and 23, down to seven per cent aged 42-60. The samples for the 42-60 and 61+ age groups were not so representative, and this may have introduced a level of bias. However, a better understanding of the domain was achieved.

Before carrying out any transaction on your bank’s online services you are challenged to provide some kind of password or a set of different ‘keys’ which only you and your bank know about. If you disclose the correct ‘key’, the bank will be happy to believe that you are who you claim to be.

Different banks share different ‘keys’ with their customers; some ‘keys’ need to be remembered (e.g. PIN, user ID and password and/or memorable answer) and other ‘keys’ can also be generated by some token which the bank provides you with (e.g. a keychain-sized one-time password generator). Some banks also volunteer themselves to send you the generated ‘key’ over SMS.

Three out of four popular local banks protect their internet banking customers with what is known as two-factor authentication. This means that to access our bank accounts online there are two security doors which need to be opened, and to do so we need two different keys: The first factor (PIN or memorable answer) opens the first door, while the second factor (number which the token generates or which is received via SMS) opens the second door. Safe, right? Let’s see!

In the physical world, two doors add to actual security. This is the reason why in some branches you find yourself swerving around two separate doors before you can physically access a bank. Furthermore, each door behaves differently and is locked independently from the other, not to mention the security personnel manning the inner door. This will deter any impulsive actions from anyone trying to rush in or out of a bank with a bag full of our hard-earned money. However, this can never be a valid analogy for the online world.

Attacks on e-banking customers and systems are not rare. These generally exploit two important and non-technical elements in internet banking security: user education and trust. Phishing is a common modus operandi for attackers, and through this method, attackers may obtain access to an important factor in internet banking; the one time password (OTP) generated by a token or sent by SMS.

Even if the token requires a PIN to be used, the attacker may still obtain the resulting password, irrespective of how this was generated. Such phishing attacks generally make use of an authentication page which is identical to that of the victim’s bank. More targeted attacks will also send spoofed e-mails inviting the prospective victims to click on a malicious link. Such spoofed e-mails would appear to originate from a trusted source.

The problem lies in the fact that once the attacker has obtained this one time password along with the required credentials, he can then submit such information on the real bank’s website in order to gain access to the victim’s financial statements. This kind of attack generally leads to identity related crimes.

So, aren’t OTP tokens safe? They are handy. Unfortunately they do not protect you from phishing attacks. Such OTP tokens generate a one-time password or key which is generally valid for 30 to 60 seconds; enough time for the user to submit this key onto the bank’s site. However, most bank implementations do not take this time-window seriously and one may find implementations which also give a staggering three to five minutes time-window before the one time password is invalidated, if ever. This gives attackers plenty of time to collect credentials and tokens, and to gain access into victims’ financial records.

Authorising transactions rather than authenticating users is one way forward to protect e-banking customers. Most importantly, banks need to invest time, energy and money to educate us, their customers, to be able to sniff out potential attacks.

Leave a Reply